【要点】

◎中国のサイバー攻撃組織(APT攻撃)。

【辞書】

◆Emissary Panda (Malpedia)
https://malpedia.caad.fkie.fraunhofer.de/actor/emissary_panda

◆LuckyMouse (Malpedia)
https://malpedia.caad.fkie.fraunhofer.de/actor/luckymouse

【概要】

■組織名

攻撃組織名	命名組織
APT27	FireEye
ARCHERFISH
Bronze Union	SecureWorks
Emissary Panda	CrowdStrike, NCC Group
Group 35	Cisco
HIPPOTeam
Iron Tiger
LuckyMouse	Kaspersky
TEMP.Hippo
TG-3390	SecureWorks
Threat Group-3390
ZipToken

■関係国

• 中国

【最新情報】

◆中国系ハッカーが台湾の重要インフラを攻撃しない理由 (Wedge, 2022/08/08 13:46)
https://wedge.ismedia.jp/articles/-/27534
⇒ https://malware-log.hatenablog.com/entry/2022/08/08/000000_2

◆Chinese hackers backdoor chat app with new Linux, macOS malware (BleepingComputer, 2022/08/12)
[中国のハッカーがLinuxとmacOSの新マルウェアでチャットアプリをバックドア化]
https://www.bleepingcomputer.com/news/security/chinese-hackers-backdoor-chat-app-with-new-linux-macos-malware/
⇒ https://malware-log.hatenablog.com/entry/2022/08/12/000000_4

【ニュース】

■2015年

◆Threat Group 3390 Cyberespionage (Secureworks, 2015/08/05)
https://www.secureworks.com/research/threat-group-3390-targets-organizations-for-cyberespionage
⇒ http://malware-log.hatenablog.com/entry/2015/08/05/000000_3

■2018年

◆LuckyMouse uses malicious NDISProxy Windows driver to target gov't entities (ZDNet, 2018/09/10)
https://www.zdnet.com/article/luckymouse-targets-govt-entities-through-malicious-ndisproxy-driver/
⇒ http://malware-log.hatenablog.com/entry/2018/09/10/000000_5

◆Kaspersky Lab、サイバー犯罪組織「LuckyMouse」が盗んだ正規のデジタル証明書でマルウェアに署名し、攻撃に利用していることを確認 (産経新聞, 2018/09/18 14:44)
http://www.sankei.com/economy/news/180918/prl1809180243-n1.html
⇒ http://malware-log.hatenablog.com/entry/2018/09/18/185335

■2019年

◆RSAC 2019: Bronze Union APT Updates Remote Access Trojans in Fresh Wave of Attacks (ThreatPost, 2019/02/27)
https://threatpost.com/bronze-union-apt-updates-remote-access-trojans-in-fresh-wave-of-attacks/142219/
⇒ http://malware-log.hatenablog.com/entry/2019/02/27/000000_4

◆少数ながら、APTグループ「Emmissary Panda」に類似した攻撃を検知（ラック）(NetSecurity, 2019/12/26 06:06)
https://scan.netsecurity.ne.jp/article/2019/12/26/43462.html
⇒ https://malware-log.hatenablog.com/entry/2019/12/26/000000_8

■2021年

◆China's APT hackers move to ransomware attacks (BleepingComputer, 2021/01/04 09:36)
[中国のAPTハッカーがランサムウェア攻撃に動く]
https://www.bleepingcomputer.com/news/security/chinas-apt-hackers-move-to-ransomware-attacks/
⇒ https://malware-log.hatenablog.com/entry/2021/01/04/000000

◆APT27 continues targeting the gambling industry. New APT34 activity. Malicious code in APKPure app store. (Cyberwire, 2021/04/14)
[APT27は引き続きギャンブル業界を標的にしています。新たなAPT34の活動。APKPureアプリストアに悪意のあるコード]
https://thecyberwire.com/newsletters/research-briefing/3/15
⇒ https://malware-log.hatenablog.com/entry/2021/04/14/000000_3

■2022年

◆サイバー攻撃の被害に遭った赤十字、「国家が支援」するハッカーが未パッチの脆弱性を悪用したと発表 (TechCrunch, 2022/02/18)
https://jp.techcrunch.com/2022/02/18/2022-02-16-red-cross-links-january-cyberattack-to-state-sponsored-hackers/
⇒ https://malware-log.hatenablog.com/entry/2022/02/18/000000_3

◆中国系ハッカーが台湾の重要インフラを攻撃しない理由 (Wedge, 2022/08/08 13:46)
https://wedge.ismedia.jp/articles/-/27534
⇒ https://malware-log.hatenablog.com/entry/2022/08/08/000000_2

◆Chinese hackers backdoor chat app with new Linux, macOS malware (BleepingComputer, 2022/08/12)
[中国のハッカーがLinuxとmacOSの新マルウェアでチャットアプリをバックドア化]
https://www.bleepingcomputer.com/news/security/chinese-hackers-backdoor-chat-app-with-new-linux-macos-malware/
⇒ https://malware-log.hatenablog.com/entry/2022/08/12/000000_4

【ブログ】

■2015年

◆Newly discovered Chinese hacking group hacked 100+ websites to use as “watering holes” (Ars Technica, 2015/08/06 04:00)

Emissary Panda group penetrated the networks of industrial espionage targets.

https://arstechnica.com/information-technology/2015/08/newly-discovered-chinese-hacking-group-hacked-100-websites-to-use-as-watering-holes/
⇒ https://malware-log.hatenablog.com/entry/2015/08/06/000000_1

■2016年

◆ThreatConnect identifies Chinese targeting of two companies. Economic espionage or military intelligence? (ThreatConnect, 2016/10/17)
https://www.threatconnect.com/blog/threatconnect-discovers-chinese-apt-activity-in-europe/
⇒ https://malware-log.hatenablog.com/entry/2016/10/17/000000_4

■2017年

◆BRONZE UNION Cyberespionage Persists Despite Disclosures (SecureWorks, 2017/06/27)
https://www.secureworks.com/research/bronze-union
⇒ https://malware-log.hatenablog.com/entry/2017/06/27/000000_3

■2018年

◆Decoding network data from a Gh0st RAT variant (nccgroup, 2018/04/17)
https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/april/decoding-network-data-from-a-gh0st-rat-variant/
⇒ https://malware-log.hatenablog.com/entry/2018/04/17/000000_5

◆LuckyMouse hits national data center to organize country-level waterholing campaign (Kaspersky, 2018/06/13 10:00)
https://securelist.com/luckymouse-hits-national-data-center/86083/
⇒ http://malware-log.hatenablog.com/entry/2018/06/13/000000_2

◆Emissary Panda – A potential new malicious tool Introduction (nccgroup, 2018/05/18)
https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/may/emissary-panda-a-potential-new-malicious-tool/
⇒ https://malware-log.hatenablog.com/entry/2018/05/18/000000_4

◆Chinese Hackers Carried Out Country-Level Watering Hole Attack (The Hacker News, 2018/06/14)
https://thehackernews.com/2018/06/chinese-watering-hole-attack.html
⇒ https://malware-log.hatenablog.com/entry/2018/06/14/000000_7

◆LuckyMouse Group is back and using a legitimate certificate to sign malware (Kaspersky, 2018/09/10)
https://www.kaspersky.com/about/press-releases/2018_luckymouse-group-is-back-and-using-a-legitimate-certificate-to-sign-malware
⇒ http://malware-log.hatenablog.com/entry/2018/09/10/000000_4

■2021年

◆Exchange servers under siege from at least 10 APT groups (WeLiveSecurity, 2021/03/10 14:00)
[少なくとも10のAPTグループから四面楚歌のExchangeサーバー]

ESET Research has found LuckyMouse, Tick, Winnti Group, and Calypso, among others, are likely using the recent Microsoft Exchange vulnerabilities to compromise email servers all around the world
[ESETリサーチによると、LuckyMouse、Tick、Winnti Group、Calypsoなどが、最近のMicrosoft Exchangeの脆弱性を利用して世界中のメールサーバーを危険にさらしている可能性が高いことがわかりました]

https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/
⇒ https://malware-log.hatenablog.com/entry/2021/03/10/000000_3

■2023年

◆Iron Tiger’s SysUpdate Reappears, Adds Linux Targeting (Trendmicro, 2023/03/01)
[Iron TigerのSysUpdateが再登場、Linuxをターゲットにした機能を追加]
https://www.trendmicro.com/en_us/research/23/c/iron-tiger-sysupdate-adds-linux-targeting.html
⇒ https://malware-log.hatenablog.com/entry/2023/03/01/000000_3

【公開情報】

■2015年

◆REGIONAL ADVANCED THREAT REPORT:Europe, Middle East and Africa 1H2015 (FireEye, 2015)
https://www.fireeye.com/content/dam/fireeye-www/partners/pdfs/rpt-regional-atr-emea-web-bt.pdf
⇒ http://malware-log.hatenablog.com/entry/2015/04/01/000000

【図表】

出典: https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/26160121/bronze-union.png

【検索】

google: APT27
google: Emissary Panda
google: Bronze Union
google: TG-3390
google: Threat Group-3390
google: ZipToken
google: ARCHERFISH
google: Iron Tiger
google: Group 35
google: TEMP.Hippo
google: LuckyMouse
google: HIPPOTeam

google:news: APT27

google: site:virustotal.com APT27

■Bing

https://www.bing.com/search?q=APT27
https://www.bing.com/news/search?q=APT27

■Twitter

https://twitter.com/search?q=%23APT27

【関連まとめ記事】

◆全体まとめ
　◆攻撃組織 / Actor (まとめ)

◆標的型攻撃組織 / APT (まとめ)
https://malware-log.hatenablog.com/entry/APT

【インディケータ情報】

■ハッシュ情報(MD5)

• 3BEA073FA50B62C561CEDD9619CD8425

■ハッシュ情報(Sha256)

SHA-256	Filename
EE04B324F7E25B59D3412232A79D1878632D6817C3BB49500B214BF19AFA4E2C	Mozilla.exe
0BA49FEB7784E6D33D821B36C5C669D09E58B6795ACA3EEBBF104B763B3B3C20	Updateproxy.dll
33B7407E534B46BF8EC06D9F45ECD2D3C7D954340669E94CD7CEDCBAE5BAD2DD	Telnet.dll
6160AF383794212B6AD8AB9D6D104BBE7AEFB22410F3AB8EA238F98DABFC48B7	Socks.dll
C63B01C40038CA076072A35913F56D82E32FCEE3567650F3392B5C5DA0004548	Shell.dll
D51EC4ACEAFA971E7ABD0CF4D27539A4212A448268EF1DB285CD9CE9024D6EB3	Session.dll
BD8086DE44E16EFDD380E23E49C4058D956538B01E1AE999B679B6B76B643C7D	Screen.dll
B44A9545B697B4D46D5B96862A6F19EA72F89FED279F56309B2F245AC8380BE0	Port.dll
F4DF97108F18654089CFB863F2A45AA41D17A3CE8A44CCCC474F281A20123436	File.dll
D31D38403E039F5938AE8A5297F35EB5343BB9362D08499B1E07FAD3936CE6F7	ConEmu.exe
A591D4D5B8D23FF12E44A301CE5D4D9BF966EBA0FC0068085B4B4EC3CE352963	Noodles.exe
EEBFF21DEF49AF4E85C26523AF2AD659125A07A09DB50AC06BD3746483C89F9D	Coal.exe (Malicious executable)
97B9D7E16CD6B78A090E9FA7863BD9A57EA5BBE6AE443FA788603EEE5DA0BFC3	Abg.exe (Malicious executable)
B6C21C26AEF75AD709F6C9CFA84BFA15B7EE709588382CE4BC3544A04BCEB661	23d.exe (Malicious executable)
DB9B9FA9EFA53662EC27F4B74B79E745F54B6C30C547A4E5BD2754E9F635F6DB	89d.exe (Malicious executable)

■IPアドレス(C&C)

• 23.227.207.137
• 89.249.65.194

■ファイル

• C:\ProgramData\HIDMgr
• C:\ProgramData\Rascon
• C:\ProgramData\TrkSvr

■サービス

• HIDMgr
• RasconMan
• TrkSvr

■レジストリ

• HKCU\Software\Microsoft\Windows\CurrentVersion\Run

(以上は nccgroupの情報。 引用元は https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/april/decoding-network-data-from-a-gh0st-rat-variant/)

■マルウェア情報

MD5	3bea073fa50b62c561cedd9619cd8425
SHA1	ae917a61cb01df3906472b3140193c1ef62f8d75
SHA256	df7bafe27b2ac5121d3c46405f7c168453dbc09200049d693dceff6c4b59b2db
SHA512
SSDEEP	768:8kTUqTrSxd1WaNmN+NoF4P2MBL/enc8RGIcA2YvrK3gHLXokP:LwqCd1dINmEYYBGIcA2UK3Mok
authentihash	8e313f41dc7e65a09f3b2b944cdc53276e01988e85834bb3053d23b9d7eb5013
imphash	e62620335bb00fe44ca7fe6a8bd55a4b
File Size	86016 bytes
File Type	Win32 EXE (PE32 executable for MS Windows (GUI) Intel 80386 32-bit)
コンパイル日時	2015-06-30 10:29:41
Debug Path
File Name
File Path
生成ファイル
特徴
参考情報	https://www.virustotal.com/ja/file/df7bafe27b2ac5121d3c46405f7c168453dbc09200049d693dceff6c4b59b2db/analysis/

◆ハッシュ情報(MD5)

• 22CBE2B0F1EF3F2B18B4C5AED6D7BB79
• 0D0320878946A73749111E6C94BF1525
• ac337bd5f6f18b8fe009e45d65a2b09b
• 04dece2662f648f619d9c0377a7ba7c0

◆FQDN

• bbs.sonypsps[.]com
• update.iaacstudio[.]com
• wh0am1.itbaydns[.]com
• google-updata[.]tk
• windows-updata[.]tk